BitCoin alternative: distributed, but not decentralized cash

Cryptographer Ben Laurie, celebrated BitCoin skeptic, has written a short, provocative paper called An Efficient Distributed Currency, which proposes a distributed (but not decentralized) alternative. Kevin Marks is excited: "In effect you're doing an end run around Gresham's law, in the same way that the Brazilian Real did - and not how the US Govt is doing with dollar coins." (sidebar: holy cats, that Brazil story is awesome).
We need an efficient way to agree the total state of the system (that is, what coins exist, who has possession of them and the transaction history1 ).

First, we view the state as a map of coins to purses. This can be represented as a list of coins, each with the number of the purse it is in. I call this a snapshot.

A snapshot can be hashed by forming an ordered list of the coins and building a Merkle tree from them. I call this a snapshot hash. Clients can now efficiently query the current state and check that the results match an agreed snapshot hash (I will come to how it is agreed later).

A transaction is a change in the state, which can be thought of as a transition from one snapshot to another. Only two transitions are legal.

First, creation of a new coin. This manifests itself by a new coin record appearing, assigning the coin to some purse. Second, movement of a coin from one purse to another. This is simply a change to the appropriate coin record.

A transaction is recorded in the transaction log by appending the snapshot hash of the new snapshot (and remembering the corresponding state, so it can be queried!).

An Efficient and Practical Distributed Currency (

An Efficient Distributed Currency (PDF)

(via Epeus' epigone)


  1. Can someone explain the real difference to bitcoins? As I read it he wants to have a “central” server keeping track of the log, and then to make it secure actually have any number of these “central” severs which can keep track of each other to make sure that there is no fooling around. It seems exactly like what bitcoins are doing except they are described as decentralized because the users are doing the tracking where as he describes his system as centralized because each server is “centrally” keeping track of the state. I think it’s the same difference, how am I mistaken?

  2. @Vincent Larsen: the core issue is that it is necessary to achieve consensus on the ordering of transactions. Without ordering, you can’t determine which of two conflicting transactions is the correct one.

    Ben Laurie proposes to give up the full decentralization and instead let a smaller number of minters agree on rules among themselves to achieve consensus on the order of transactions. The rules are not exactly specified but I imagine disputes would be resolved by some sort of majority vote. The minters need to be limited to an exclusive club because otherwise an attacker could overwhelm the system with malicious shills

    In Bitcoin, the “majority vote” also exists but it is linked to computing power. Any node can collect the next transactions in a block and attempt to finish a proof of work on that block. Each block is linked to the previous one, so you get a “proof of work” chain which orders all transactions. If the chain forks, the chain representing the most work is accepted. Anyone can participate, and is encouraged to do so by rewards: coinbase and transaction fees. Attackers need to out-compute the rest of the network if they want to change the order of transactions.

    Ben Laurie rejects the Bitcoin approach because according to him, it will not be secure until Bitcoin consumes more than 50% of all the computing power in the world, and this would be a tremendous waste. (This strikes me as a rather pessimistic view, but if you only accept perfect security that can protect you even from an attacker that can afford to ignore cost and economic incentives, then I guess it is technically correct.)

  3. His proposal is great, if you want to have a centralized control scheme that can duplicate currency at will. I’ll never understand people’s tendencies to resist something because it is new. Instead, they vainly try to cobble together some chimera-like system that fits the worst part of the old with the new.

    I’ll bet you right now that bitcoin kicks this ‘alternative’ into another dimension without even trying. Hard to fight the first-mover advantage of 13 Tera-hashes a SECOND. Centralization of currency is failing around the world, and rightly so.

    1. People tend to resist trying new things with currency because the stakes are very high. If you get it wrong people get hurt. I’m not familiar enough with BitCoin to judge it, but I am very wary of any currency that requires every purcase I make be tracked.

      1. Valid point. A healthy dose of wariness is important for any thing new that requires a lot of resources. I did a significant amount of research on it before I concluded it’s a sound technology.

      2. Thank you for providing an example of what I’m talking about. Here, you are worried about the public transaction ledger – the blockchain – which has nothing beyond the amount and public key that was used.

        Using conventional payment methods (other than cash, which bitcoin emulates and improves upon), your transaction is recorded by every intermediary with your full name and address details. This tracks everything you’ve ever done with great ease. Oh, and you pay much higher fees for this ‘privilege’.

        You have no hope of anonymity using conventional methods. With bitcoin, you don’t automatically have anonymous functionality – but there are simple ways to ensure that you do. The main point here is that it is in YOUR hands, how to manage your funds.

        I’ll take having power over my money versus relying on banks who don’t tell customers about security incursions while charging the maximum possible rates on shifting bits through their servers.

  4. Let me tell you how BitCoins got fucking SCARY. I started a thread on a forum, a forum known to have a bunch of the internet’s best asshats. In only a few hours, the thread itself was rocking the BitCoin currency. I started getting fucking death threats from people telling me to delete the thread. Others just casually mocked me for even feigning interest into it. Yeah, I started off a proponent, but it looks like martial law is the backing force of BTC.

    1. I used to think politics or religion was the way to get a good flame thread going. Seems trying to change our monetary system has taken the front seat. I’d also question the seemingly ‘real’ people that are objecting.

      As has been covered here on this blog, there are systems under government programs that use fake social network profiles to advance viewpoints favored by the U.S. Combine that with the general resistance to anything new, and you have quite a volatile mix.

      Sorry to hear you were treated badly, but then again world-changing ideas usually get the short end of the stick by those that stand to suffer most from change.

  5. I propose basing a currency off of hard substance with intrinsic value that is also extremely rare. Anti-matter!

    Not only does it cost a significant amount of energy/time/effort to produce like bitcoins, but it also takes energy to maintain. I do worry about the deflationary effects however if the power goes out however.

  6. The problem with any system, be it whuffie, bitcoin, or the like is it can be gamed to an extent.

    Till we can find a way to remove gaming (impossable without changing human nature,) or find a way for gaming to be irrelevent, we won’t have a good digital currency.

    1. I suggest reading the whitepaper –
      and checking out the “Popular Myths” section of the wiki –

      I think you’ll find the transparency and security built into the public transaction ledger mitigates any “gaming” concerns you have. The current network power is now at 13 Tera-hashes a second. This is a formidable obstacle for anyone with devious intentions to surmount.

      As you’ll find in the whitepaper, forking the chain via computational resource attack not only provides extremely limited opportunity, it proves the core design elements are sound. It makes more sense to use any aggregated computing power to play by the rules, instead of trying to conquer the system.

Comments are closed.